Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Web Server Misconfiguration: Directory Listing
Abstract
Listing directory contents without restriction can expose sensitive information and private resources.
Explanation
Directory listing vulnerabilities leak a complete index of all of the resources located in that directory. These vulnerabilities can result in exposure of files that should remain hidden, such as data files, backed-up source code, or applications in development. Unrestricted access to files containing sensitive information can aid further attacks against the application.
Directory listing vulnerabilities can be caused by:
1. Poor default configuration
In the absence of a default directory file, server configuration enables directory listing by default. In addition, the following configuration and setup examples might reveal directory contents to attackers:
Example 1: In many default configurations, certain modules installed on the server (e.g. mod_autoindex module for Apache HTTP Server) can enable directory listing to be obtained from the server even if index files exist and server directory listings configuration is disabled.
Example 2: Enabling services like WEBDAV on IIS server might also lead to exposure of directory contents. With the PROPFIND method, it might be possible to browse and list the contents of directories, even if a default directory file (such as "default.htm") exists.
Example 3: In its default configuration, Netscape Enterprise Server has a feature called "Directory Indexing" turned on. When directory listing is enabled, the server returns directory listings to web users.
2. Input Validation
Failure to validate user supplied data can cause directory listing vulnerabilities in servers and applications. Attackers can manipulate filenames and paths in the request URI to gain access to directory contents.
Example 4: JRun: A remote attacker can send a URL request appended with '%3f.jsp' to the server and gain access to the web root directory.
Example 5: BadBlue Webserver: Sending a request with % appended to the path causes the server to disclose the directory contents.
Example 6: Tomcat: Allows attackers to obtain complete directory listings by making a request containing a null byte.
Example 7: WebSTAR: The default installation contains a sample script that attackers can use to gain a directory listing of any directory on the server. Passing an asterisk (*) in the query string and appending it to the target directory path causes the script to disclose directory contents.
3. Encoding
Failure to properly handle requests containing encoded special characters can result in directory listing vulnerabilities
Example 8: Attackers can view the contents of web directories by requesting certain encoded characters. By appending certain characters to a request for a directory, an attacker can "break" the mechanism a server uses to determine whether a request is for a directory or not and thus give a full directory listing.
Example 9: Appending an encoded null-byte to the directory name can reveal directory contents.
4. Traversal vulnerabilities
Failure to validate paths to requested directories can allow attackers to gain access to arbitrary directory contents through traversal attacks.
Example 1: /../examples//WEB-INF/../../../../
5. Access Control error
Exposure of sample or test scripts or administrative interfaces can allow attackers to browse contents of arbitrary directories.
Directory listing vulnerabilities can be caused by:
1. Poor default configuration
In the absence of a default directory file, server configuration enables directory listing by default. In addition, the following configuration and setup examples might reveal directory contents to attackers:
Example 1: In many default configurations, certain modules installed on the server (e.g. mod_autoindex module for Apache HTTP Server) can enable directory listing to be obtained from the server even if index files exist and server directory listings configuration is disabled.
Example 2: Enabling services like WEBDAV on IIS server might also lead to exposure of directory contents. With the PROPFIND method, it might be possible to browse and list the contents of directories, even if a default directory file (such as "default.htm") exists.
Example 3: In its default configuration, Netscape Enterprise Server has a feature called "Directory Indexing" turned on. When directory listing is enabled, the server returns directory listings to web users.
2. Input Validation
Failure to validate user supplied data can cause directory listing vulnerabilities in servers and applications. Attackers can manipulate filenames and paths in the request URI to gain access to directory contents.
Example 4: JRun: A remote attacker can send a URL request appended with '%3f.jsp' to the server and gain access to the web root directory.
Example 5: BadBlue Webserver: Sending a request with % appended to the path causes the server to disclose the directory contents.
Example 6: Tomcat: Allows attackers to obtain complete directory listings by making a request containing a null byte.
Example 7: WebSTAR: The default installation contains a sample script that attackers can use to gain a directory listing of any directory on the server. Passing an asterisk (*) in the query string and appending it to the target directory path causes the script to disclose directory contents.
3. Encoding
Failure to properly handle requests containing encoded special characters can result in directory listing vulnerabilities
Example 8: Attackers can view the contents of web directories by requesting certain encoded characters. By appending certain characters to a request for a directory, an attacker can "break" the mechanism a server uses to determine whether a request is for a directory or not and thus give a full directory listing.
Example 9: Appending an encoded null-byte to the directory name can reveal directory contents.
4. Traversal vulnerabilities
Failure to validate paths to requested directories can allow attackers to gain access to arbitrary directory contents through traversal attacks.
Example 1: /../examples//WEB-INF/../../../../
5. Access Control error
Exposure of sample or test scripts or administrative interfaces can allow attackers to browse contents of arbitrary directories.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 548
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 CM
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-28 Protection of Information at Rest (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-28 Protection of Information at Rest
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.3.2 Other Access Control Considerations (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.dynamic.xtended_preview.web_server_misconfiguration_directory_listing